Re: Can I set the user to authenticate as?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, 2013-01-04 at 16:13 -0800, Dylan Martin wrote: 
> Hi all, thanks for reading.
> 
> I'm trying to set up authentication against a remote imap server that
> I don't run.  I've got pam_imap working, so everything is fine as long
> as the username on my box is the same as the username on imap server.
> I'd like to somehow make it possible for someone to log in as a
> different name than is submitted to the imap server.  The fact that
> I'm using imap really shouldn't matter.
> 
> I run a web server for a community college.  We have an email server
> run by the district.  I work at one of the campuses.  I have zero
> control over the email server at district.  I want to authenticate
> users on my web server with their imap accounts (because I hate
> resetting passwords).  Unfortunately, most web server account names
> are different from the imap account names.  For example 'english' or
> 'lab' might be reasonable account names on my web server but that web
> account will be managed by a human with an email account (and IMAP
> username) like 'jdoe'.
> 
> What I need is for someone to log in as 'lab' with a password and have
> PAM ask the IMAP server to authenticate jdoe, and if that succeeds,
> let them log in as 'lab'.
> That means pam would somehow have to know to translate 'lab' into
> 'jdoe' for the conversation with the IMAP server and NOT then try to
> log the user in as 'jdoe' on the web server if the IMAP authentication
> succeeded.
> 
> With pam's flow-through-the-stack nature, I thought there might be a
> module that would change the user name for authentication purposes.
> Like this maybe:
> 
> auth required pam_localuser.so
> auth required pam_map_user.so file=/etc/usermap
> auth requisite pam_imap.so
> 
> I've actually done this before by hacking a module to both map a local
> user to a remote username AND perform the authentication check.  It
> seems odd to me that I'd need to combine those steps.
> 
> Is there a better way to handle this problem?

You can put the mapping module after the pam_imap.so to set the PAM_USER
back to the original value which you can save with pam_set_data().
-- 
Tomas Mraz
No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux